From 7b222710386195e301ee8677f58eb3a7d14ae642 Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Mon, 15 Dec 2025 18:54:50 -0600
Subject: [PATCH] add mover security context

---
 charts/volsync-target/Chart.yaml              |  2 +-
 charts/volsync-target/README.md               |  3 ++-
 .../templates/replication-source.yaml         | 24 ++++++++++++++++---
 charts/volsync-target/values.yaml             |  3 +++
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/charts/volsync-target/Chart.yaml b/charts/volsync-target/Chart.yaml
index 46d799b..2063e4e 100644
--- a/charts/volsync-target/Chart.yaml
+++ b/charts/volsync-target/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.3.0
+version: 0.4.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target
diff --git a/charts/volsync-target/README.md b/charts/volsync-target/README.md
index 21e30df..32e5967 100644
--- a/charts/volsync-target/README.md
+++ b/charts/volsync-target/README.md
@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -29,6 +29,7 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
 | local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 2 * * *"` | 5 character cron schedule |
+| moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
diff --git a/charts/volsync-target/templates/replication-source.yaml b/charts/volsync-target/templates/replication-source.yaml
index da69ac4..4c8e247 100644
--- a/charts/volsync-target/templates/replication-source.yaml
+++ b/charts/volsync-target/templates/replication-source.yaml
@@ -21,7 +21,13 @@ spec:
     retain:
     {{- with .Values.local.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+      moverSecurityContext:
+      {{- with .Values.moverSecurityContext }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.local.restic.copyMethod }}
     storageClassName: {{ .Values.local.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.local.restic.volumeSnapshotClassName }}
@@ -51,7 +57,13 @@ spec:
     retain:
     {{- with .Values.remote.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+      moverSecurityContext:
+      {{- with .Values.moverSecurityContext }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.remote.restic.copyMethod }}
     storageClassName: {{ .Values.remote.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.remote.restic.volumeSnapshotClassName }}
@@ -81,7 +93,13 @@ spec:
     retain:
     {{- with .Values.external.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+      moverSecurityContext:
+      {{- with .Values.moverSecurityContext }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.external.restic.copyMethod }}
     storageClassName: {{ .Values.external.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.external.restic.volumeSnapshotClassName }}
diff --git a/charts/volsync-target/values.yaml b/charts/volsync-target/values.yaml
index c3857b3..9e87420 100644
--- a/charts/volsync-target/values.yaml
+++ b/charts/volsync-target/values.yaml
@@ -10,6 +10,9 @@ additionalLabels: {}
 # -- Name of the PVC target
 pvcTarget: "data"
 
+# -- Glocal security context for restic mover
+moverSecurityContext: {}
+
 # -- Use external secrets
 externalSecrets:
   enabled: true